Solutions

Requirements

Deploy an Ubuntu virtual machine in the cloud to act as the HUB and install a WireGuard server on it

Remote sites, referred to as spokes, should connect to the HUB via VPN

Only selected spoke network segments will be routed through the HUB

MikroTik routers (spokes) should communicate with each other through the HUB

Design the network to be highly scalable and easy to manage

Below is the network design

Solution

Download Putty from below link, install and open it.
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Will be shown the below table.

Connect to the ubuntu server with ip 5.5.5.5 with ssh protocol, click > Open, then insert user/pass that has privileged rights

>>>>>>>>HUB WIREGUARD<<<<<<<<<<

Install wireguard in ubuntu server and go to the default directory of wireguard
apt update && sudo apt upgrade -y
apt install wireguard -y
cd /etc/wireguard

Generate public and private keys for the hub and the 3 spokes (as example)
wg genkey | tee privatekey-hub | wg pubkey > publickey-hub
wg genkey | tee privatekey-spoke01 | wg pubkey > publickey-spoke01
wg genkey | tee privatekey-spoke02 | wg pubkey > publickey-spoke02
wg genkey | tee privatekey-spoke03 | wg pubkey > publickey-spoke03

Create 3 wireguard files, which will be used from wireguard service in hub.
Remember that Wireguard service executes all files with ".conf" on its directory "/etc/wireguard".
For each Spoke we will create an individual wireguard config.
The keys will be used from ones generated above.

wg File for Spoke01
vi wg01.conf

#
[Interface]
Address = 10.0.1.1/30
ListenPort = 58101
MTU = 1420
PrivateKey = "privatekey-hub"

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

PostUp = ip route add 10.1.0.0/16 via 10.0.1.2
PostDown = ip route del 10.1.0.0/16 via 10.0.1.2

# SPOKE01
[Peer]
PublicKey = "publickey-spoke01"
AllowedIPs = 10.0.1.2,10.1.0.0/16
#
esc
:wq!

wg File for Spoke02
vi wg02.conf

#
[Interface]
Address = 10.0.2.1/24
ListenPort = 58102
MTU = 1420
PrivateKey = "privatekey-hub"

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

PostUp = ip route add 10.2.0.0/16 via 10.0.2.2
PostDown = ip route del 10.2.0.0/16 via 10.0.2.2

# SPOKE01
[Peer]
PublicKey = "publickey-spoke01"
AllowedIPs = 10.0.2.2,10.2.0.0/16
#
esc
:wq!

wg File for Spoke03
vi wg03.conf

#
[Interface]
Address = 10.0.3.1/24
ListenPort = 58103
MTU = 1420
PrivateKey = "privatekey-hub"

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

PostUp = ip route add 10.3.0.0/16 via 10.0.3.2
PostDown = ip route del 10.3.0.0/16 via 10.0.3.2

# SPOKE01
[Peer]
PublicKey = "publickey-spoke01"
AllowedIPs = 10.0.3.2,10.3.0.0/16
#
esc
:wq!

Check if the 3 files will be shown in the directory
root@user:/etc/wireguard# ls -l
-rw-r--r-- 1 root root 50 May 11 08:06 wg01.conf
-rw-r--r-- 1 root root 50 May 11 08:06 wg02.conf
-rw-r--r-- 1 root root 50 May 11 08:06 wg03.conf

Start the 3 services of wireguard
wg-quick up wg01
wg-quick up wg02
wg-quick up wg03

Check if they are running
wg
Expected output as below
interface: wg01
public key: "publickey-hub"
private key: (hidden)
listening port: 58101

interface: wg02
public key: "publickey-hub"
private key: (hidden)
listening port: 58102

interface: wg03
public key: "publickey-hub"
private key: (hidden)
listening port: 58102

>>>>>>>>HUB ROUTING <<<<<<<<<<

Enable IP Routing in server
vi /etc/sysctl.conf
Uncomment
net.ipv4.ip_forward=1
esc
:wq!

>>>>>>>>SPOKE01 WIREGUARD<<<<<<<<<<

Now we need to configure one of the remote routers/Spokes
Connect to mikrotik router with ssh from putty
Add Wireguard interface. The private key is got from keys generated above "privatekey-spoke01"
[admin@Mikrotik] /interface/wireguard> add name=wg-spoke01 private-key=privatekey-spoke01

Add Wireguard peer
/interface wireguard peers add allowed-address=0.0.0.0/0 disabled=yes endpoint-address="HUB-Public-IP" endpoint-port=58101 interface=wg-spoke01 public-key="publickey-hub"

>>>>>>>>SPOKE01 POLICY ROUTING<<<<<<<<<<

Add IP on wg-spoke01
/ip address
add address=10.0.1.2/30 interface=wg-spoke01 network=10.0.1.0/30
Add the address 10.1.0.1/16 in LAN
[admin@Mikrotik] > ip address/add address=10.1.0.1/16 interface=LAN

Add routing table for policy routing
/routing table/add disabled=no fib name=WG-TABLE

Mark the packets from LAN to be pushed to Wireguard VPN
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=WG-LAN-PACKET passthrough=yes src-address=10.1.0.0/16
add action=mark-routing chain=prerouting new-routing-mark=WG-TABLE packet-mark=WG-PACKET passthrough=yes

Add routing table for policy routing
/routing table/add disabled=no fib name=WG-TABLE

Add Policy Route to push LAN market packets toward HUB
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.1.1 pref-src="" routing-table=WG-TABLE scope=30 suppress-hw-offload=no target-scope=10

Similar steps should be followed for the other two spokes

VPN Network Design with Wireguard

Requirements

Solution